Legal Update

Protecting Personal Data in the Cloud

November 3, 2020

Partnership Announcement: Mato Kotwani

(This article was first published in the Volume 9 of RT ASEAN’s Review Times)

In Singapore, personal data is protected under the Personal Data Protection Act 2012[1] (“PDPA“), which is administered by the Personal Data Protection Commission of Singapore (“PDPC“).

With the advent of cloud computing and the ubiquity of cloud storage services being utilised by organisations across various industries in today’s Internet Age, the PDPC published Chapter 8 to its Advisory Guidelines on the PDPA for Selected Topics[2] (“Guidelines“) in October 2019, specifically pertaining to the use of cloud services. The Guidelines do not have the force of law, but are helpful in clarifying the obligations that organisations in Singapore must comply with when engaging the services of a Cloud Service Provider (“CSP“) who may host or process personal data within or outside of Singapore.

Chapter 8 of the Guidelines clarifies that any organisation that engages the services of a CSP still remains responsible for complying with the PDPA in respect of personal data processed (which includes the holding and retrieval of data) by its CSP on its behalf and for its purposes.

For instance, organisations should ensure that reasonable security arrangements are put in place to protect the personal data that the organisation possesses or transfers to its CSP. In December 2019, Honestbee Pte Ltd was sanctioned with a fine of $8,000 for omitting to put in place the necessary security measures necessary to protect personal data that was placed in its Amazon Web Services (“AWS“) file repository. Honestbee had mistakenly placed personal data into a file folder without access restrictions, thereby allowing anyone with AWS’s command line to gain access to the personal data.[3]

Where a CSP hosts or processes data outside of Singapore, the organisation engaging such CSP must also comply with transfer limitation obligations under the PDPA for any overseas transfer of personal data. In particular, the organisation must ensure that its CSP only transfers personal data to locations with data protection regimes of a standard which is comparable to the standards of the PDPA, or include terms in the agreement between the CSP and the organisation to establish a standard of protection comparable to that of the PDPA for any personal data transferred to local or overseas locations.

In light of the above, organisations in Singapore that wish to engage the services of CSPs must familiarise themselves with their obligations under the PDPA and carefully consider the following when selecting its CSP:

  1. Whether the jurisdiction(s) in which the CSP hosts or processes data has/have in place data protection regimes that are comparable to the PDPA; and
  2. Whether the CSP is or will be bound by legally enforceable obligations to ensure a standard of data protection comparable to that of the PDPA.

It should be noted that the Personal Data Protection (Amendment) Bill 2020[4] (“PDP Bill“) has been introduced and read for the first time in the Singapore Parliament on 5 October 2020. The PDP Bill introduces a slew of key amendments to the PDPA, including but not limited to:

  1. Introduction of a right for individuals to request for their data to be transmitted to another service provider;
  2. Obligations to report data breaches to the PDPC and affected individuals;
  3. Expansion of the concept of deemed consent to the processing of personal data;
  4. Introduction of new exceptions to consent; and
  5. Increased financial penalties for breaches of the PDPA.

While none of the proposed amendments under the PDP Bill have a direct impact on the information set out above, organisations are advised to familiarise themselves with the changes proposed in the new PDP Bill prior to its anticipated enactment in the near future.

[1] The Personal Data Protection Act 2012 (Act 26 of 2012) may be accessed at: https://sso.agc.gov.sg/Act/PDPA2012.

[2] The Advisory Guidelines on the PDPA for Selected Topics may be accessed at: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Selected-Topics/Advisory-Guidelines-on-PDPA-for-Selected-Topics-9-Oct-2019.pdf?la=en. Chapter 8 on Cloud Services can be found at pages 56-58.

[3] A summary of the PDPC’s decision on Honestbee Pte Ltd’s breach of the PDPA may be found at: https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-honestbee.

[4] The PDP Bill can be accessed at https://www.mci.gov.sg/-/media/mcicorp/doc/public-consultations/public-consultation-on-pdp-amendment-bill—14may2020/pdp-amendment-bill.ashx.

Chambers & Partners – Asia Pacific 2023

PDLegal LLC is pleased to announce that Managing Partner, Peter Doraisamy, has been recognised and ranked by Chambers & Partners (Asia Pacific 2023 for Shipping: Domestic: Litigation). The following quotes appear with Peter’s ranking: –

“Peter Doraisamy of PDLegal in Singapore is a noted shipping lawyer in the market. He handles a wide range of disputes, including ship grounding, cargo and fraud-related cases” – Chambers & Partners – Asia Pacific 2023

“He is excellent in litigation. He has very good control of the case, collecting the right evidence and putting this into a very successful trial.” – Shipping Litigation Client

Chambers and Partners is the leading independent professional legal research company operating across 200 jurisdictions. Chambers and Partners delivers detailed rankings and insights into the world’s leading lawyers and law firms.

This ranking is a testimony to the expertise and experience of the Firm’s shipping practice and would not be possible without the support of our clients and friends.

View All Awards

We’re here to help you.

Whether you're seeking advice, representation, or have general inquiries, we're here to help. if you would like to speak to us for more information, please contact our client services team who will be happy to assist.


    Let's Get In Touch

    Our Office

    • A:

      PDLegal LLC Advocates & Solicitors 1 Coleman Street #08-02 The Adelphi Singapore 179803

    • E:

      [email protected]

    • T:

      (65) 6220 0325

    • F:

      (65) 6220 0392

    • H:

      Mon - Fri : 9:00 am - 5:00 pm
      Sat : 8:30 am - 12:00 pm